baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc

General

Target

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
Size

5.3MB
MD5

86e0f88dcc69e631df6cfd28bb5babb1
SHA1

e7b3552cf10983c97bf3381fe66053f8f5a1ea9c
SHA256

baa175b6fa6ee27992d80995f9eae285f3a3eceb35b655c0c5a5f58b7ac748dc
SHA512

c2e0b76ea267cbe01019cd826c90ffcf84e88da1f16c83ae36cebe543cf75316b5a375a3f053165d4e8fe0b6d65a70558cb08693473d5710dc9de4a44fef7843
SSDEEP

98304:cevOCyjertpQj68ndGaX6tJJQv2FKA75OpVclc02vDRZTEW:pvOCyj2tpYo3u0jc02vVZoW

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

nemu-downloader.exe

description ioc process

File opened (read-only) \??\F: nemu-downloader.exe

description	ioc	process
File opened (read-only)	\??\F:	nemu-downloader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nemu-downloader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	nemu-downloader.exe

Executes dropped EXE 5 IoCs

Processes:

nemu-downloader.exeColaBoxChecker.exeHyperVChecker.exeHyperVChecker.exeHyperVChecker.exe

pid process

4656 nemu-downloader.exe
4808 ColaBoxChecker.exe
4908 HyperVChecker.exe
2140 HyperVChecker.exe
4404 HyperVChecker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

nemu-downloader.exe

pid process

4656 nemu-downloader.exe
4656 nemu-downloader.exe
4656 nemu-downloader.exe
4656 nemu-downloader.exe
Suspicious behavior: LoadsDriver 4 IoCs

Processes:

pid process

660
660
660
660

pid	process
4656	nemu-downloader.exe
4808	ColaBoxChecker.exe
4908	HyperVChecker.exe
2140	HyperVChecker.exe
4404	HyperVChecker.exe

pid	process
4656	nemu-downloader.exe
4656	nemu-downloader.exe
4656	nemu-downloader.exe
4656	nemu-downloader.exe

pid	process
660
660
660
660

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exenemu-downloader.exe

description	pid	process	target process
PID 1852 wrote to memory of 4656	1852	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	nemu-downloader.exe
PID 1852 wrote to memory of 4656	1852	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	nemu-downloader.exe
PID 1852 wrote to memory of 4656	1852	MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe	nemu-downloader.exe
PID 4656 wrote to memory of 4808	4656	nemu-downloader.exe	ColaBoxChecker.exe
PID 4656 wrote to memory of 4808	4656	nemu-downloader.exe	ColaBoxChecker.exe
PID 4656 wrote to memory of 4808	4656	nemu-downloader.exe	ColaBoxChecker.exe
PID 4656 wrote to memory of 4908	4656	nemu-downloader.exe	HyperVChecker.exe
PID 4656 wrote to memory of 4908	4656	nemu-downloader.exe	HyperVChecker.exe
PID 4656 wrote to memory of 2140	4656	nemu-downloader.exe	HyperVChecker.exe
PID 4656 wrote to memory of 2140	4656	nemu-downloader.exe	HyperVChecker.exe
PID 4656 wrote to memory of 4404	4656	nemu-downloader.exe	HyperVChecker.exe
PID 4656 wrote to memory of 4404	4656	nemu-downloader.exe	HyperVChecker.exe

C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe
"C:\Users\Admin\AppData\Local\Temp\MuMuInstaller_3.1.6.0_yx-gl-codex_all_1709777287.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\7z778E073C\nemu-downloader.exe
C:\Users\Admin\AppData\Local\Temp\7z778E073C\nemu-downloader.exe
2⤵
- Enumerates connected drives
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656

C:\Users\Admin\AppData\Local\Temp\7z778E073C\ColaBoxChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z778E073C\ColaBoxChecker.exe" checker /baseboard
3⤵
- Executes dropped EXE
PID:4808

C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe
"C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe"
3⤵
- Executes dropped EXE
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z778E073C\ColaBoxChecker.exe
Filesize
4.0MB

MD5
839708e3f96cf055436fa08d6205263c

SHA1
a4579f8cb6b80fe3fd50099794f63eb51be3292f

SHA256
1373c5d006a5dbcd9b86cfff9a37616f1245d1333c4adcefc7cd18926b98d752

SHA512
ece67e031e06a0442d935e7d81d0eed57ae92b348b5d104423577478ce226e4a4bde834c54e31d33bfe6f574fb7798ba96886d9e8edb738edee6e7c9c43054cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z778E073C\HyperVChecker.exe
Filesize
117KB

MD5
dbd84c6083e4badf4741d95ba3c9b5f8

SHA1
4a555adf8e0459bfd1145d9bd8d91b3fff94aad0

SHA256
9ff467bc5a1c377102d25da9fa9c24dcc4375f456510f71584f0714fdfb2af39

SHA512
fb5fe74f64254609e07d6642acf904562bb905cd7c14c6f85ba31bcdbaf06686c0586609ec4f5d2f8f55ff90334dcbb774a3a6e78df74bf1b1d0cd03dec21870

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z778E073C\baseboard
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z778E073C\baseboard
Filesize
114B

MD5
0bd26f192ec3bd1baf1118cc910fdb00

SHA1
10ebaace7c11d8df12db5df7694aaa3270744741

SHA256
12d48e8f7f2df595f186b1fc49459743a4d5ff0b1669691f5488a74f487d5014

SHA512
81490a0baaef475972cdc5f7250193cc99f472d3cc149e4412066cc43cd14c5d82c3a87e5bffb23da8465032b8e22cf50374e13b0d710f148dbfe4237c9f8c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z778E073C\config.ini
Filesize
342B

MD5
048404eeb7f19ff7aea3e0e282b2668f

SHA1
4ee3a5f86c9cc6a0f2fd597e41264249d49d7e30

SHA256
536276708fd9e141dc5036a7feb791a2467c667bb16d7ce90bf2917a68a772a2

SHA512
6fe975bfc6994edb1fddab0fa635a6d34d5624836fa7f77f6029c13ff633ee0af49fe513f1bb24d7c3cc90e83fcba837d82c8e593ca6e68e8101d4f44cf43b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z778E073C\nemu-downloader.exe
Filesize
3.2MB

MD5
b311535e3673c225b4095f77ca7ea4f5

SHA1
4206e1cbe58428fdbc9b319b8919373646807583

SHA256
7662f1e4e1b4a52cce2fb8c57ffdd4ec8654f3bd1a830814845e75fdcd3f1735

SHA512
57d9d6e592a6cdc3a8ffd514ad21729de15fcdd8b4fd321ce013c9541e08ad6cf3a11bf1479464b5b0fff771552c19ccad2720239779fcd25290c436a287b6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z778E073C\skin.zip
Filesize
509KB

MD5
d59a09fb475ed8cd967e1a5366d7884d

SHA1
8636b3f7d18482ce940607af9d0e51232d8491d4

SHA256
45a97dba97f3613ec8f357d9a36fe336c2795ead0f32081856b9b2dad4620ce1

SHA512
39a667a970f66ba6c28351a038c23bb4f4427e1b584a2cabf962711c64ad7540f09a00b2771c01c965d59f69b5b707e9659349aaf68b6f675695e9e83cf40e58

Download Submit

Analysis

Sharing